• United States




DMARC is now an essential part of internet security

Dec 12, 20175 mins

Email encryption and authentication standards like DMARC and STARTTLS are becoming essential for closing security gaps.

Man pointing to security icon for email
Credit: Thinkstock

On October 16, the Department of Homeland Security announced that it would require federal agencies to implement DMARC and STARTTLS on their email-sending domains within 90 days, and HTTPS on their websites within 120 days.

While the directive only applies to the U.S. federal executive branch, it will have far wider effects. In the past month and a half, I have been hearing from executives in finance, health care, and other fields that they, too, are looking at securing their email systems the same way the federal government is. (See here for the text of the DHS directive BOD 18-01 about HTTPS, DMARC, and STARTTLS.)

In short, DHS has created a new de facto best practice for doing business on the Internet, just as Google did a few years ago with HTTPS.

Why email security matters now

These two email standards—DMARC for authenticating the senders of email messages and STARTTLS for encrypting the messages as they are transmitted between mail servers—are aimed at closing fundamental security gaps in email that have existed since it was first created four decades ago.

This directive comes at a good time. The Internet is facing a historic explosion of phishing attacks and email impersonation exploits and many companies have seen a spike in the number of phishing emails.

Phishing is the #1 vector through which all cyberattacks begin, by far: It’s the starting point for over 90 percent of all breaches. The majority of phish utilize impersonation: The senders put a fake email address in the From field of their phish emails, making them look like legitimate emails from a known sender, often the CEO or CFO of the recipient’s company or a trusted partner.

These kinds of attacks cost real money. To pick just one subcategory of email fraud, business email compromise (BEC) has cost American businesses $5.3 billion since 2013, according to the Federal Bureau of Investigation.

Just recently, Mimecast released the results of research showing that email impersonation attacks increased by 50 percent in the most recent quarter.

The threat is real, and it’s growing.

How HTTPS became ubiquitous

Standards, like new technologies, have to cross a “chasm” from early adopters to widespread adoption, to use Geoffrey Moore’s influential terminology.

Proposals that go through official standards-making bodies don’t always become universally adopted. And sometimes de facto standards come about without going through an official vetting process.

Often, what it takes to create a true standard is for a major player—like a government agency or a big company—to embrace it. Support from a big enough player can push a across the “chasm,” transforming it from being merely a good idea into something that everyone takes for granted.

Ever wonder why websites suddenly started making the shift to HTTPS a few years ago? It’s not because of the reassuring “lock” icon that browsers display next to the URL bar, indicating that you’ve got a secure session with that web server. Sure, that’s a nice feature, and e-commerce sites have been using it to ensure security on their transaction pages for well over a decade.

But what made HTTPS ubiquitous for nearly all websites was when Google embraced it on 2014, first by recommending that everyone use it—and then, crucially, by using HTTPS as a ranking signal. In short, Google made it so that you’d appear higher in search results if your site was using HTTPS.

It didn’t take long before every chief marketing officer was beating down the doors of their IT departments, demanding that they make their websites HTTPS by default.

The growth in HTTPS continues to this day. In 2016, 40 percent of websites used HTTPS, and it’s nearing 70 percent today, according to certificate authority Let’s Encrypt.

DHS raised the bar for email

A similar thing is about to happen with email security through DMARC and STARTTLS.

You might think that this is too little, too late for a communications medium that’s on its way out.

Guess again.

Yes, Slack has taken Silicon Valley by storm for rapid team-based collaboration. And Snapchat, Instagram, and WhatsApp rule the world of impromptu, ephemeral consumer communication.

Still, email continues to thrive and even grow. There are now 6.3 billion email inboxes in use around the world, used by 3.7 billion people, or half the planet’s population. Worldwide, those people send almost 270 billion email messages every single day.

That’s because email serves a vital function: Enabling universal, global, two-way communication between companies and their customers.

Email’s biggest problem right now is the surge in phishing I described above. But the majority of those phishing attacks could be eliminated overnight by implementing email authentication through DMARC, which completely prevents email impersonation.

Adding STARTTLS will increase the security of this vital communications channel and help protect it against not only impersonation, but also eavesdropping and other forms of compromise.

That’s why the DHS order comes at just the right time to push email security over the chasm. There’s a pressing need for authentication, and one of the largest governments in the world is now moving to implement it.

It won’t be long before DMARC and STARTTLS are just as ubiquitous as HTTPS is today.


Alexander García-Tobar is CEO and co-founder of ValiMail, a leading provider of email authentication services for CIOs of large enterprises, located in San Francisco. Alexander has deep roots in the email authentication and cybersecurity space, as a global executive and advisor at Agari, ValiCert and Sygate.

A veteran entrepreneur, Alexander has held various positions at high tech companies such as Lattice3D, SyncTV and Individual. Prior to that he worked at leading research and consulting firms such as The Boston Consulting Group and Forrester Research.

The opinions expressed in this blog are those of Alexander García-Tobar and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.